Cyber Crime and Cyber Terrorism


Table 7.1  Digital Evidence Categories Address Books and



Download 5,67 Mb.
Pdf ko'rish
bet87/283
Sana19.05.2022
Hajmi5,67 Mb.
#604880
1   ...   83   84   85   86   87   88   89   90   ...   283
Bog'liq
Cyber crime and cyber terrorism investigators handbook by Babak

Table 7.1 
Digital Evidence Categories
Address Books and 
Contact Lists
 
Configuration Files
 
Databases
Audio files and voice 
recordings
Process
Documents
Backups to various 
programs
Log files
Email and attachments files
Bookmarks and favorites
Organizer items
Registry keys
Browser history
Page files
Events
Chatting log
Network configuration
Hidden and system files
Calendars
Digital images
Videos
Compressed archives
Cookies
Virtual machines
Kernel statistic and modules System files
Temporary files
Videos
Printer spooler files
Type of used applications


80
CHAPTER 7
Seizing, imaging, and analyzing digital evidence
as the principle open source command line tool for this purpose (
Ligh, et al. 2014
). 
Tools such as Volatility allow for the analysis of data such as:
• Running and recently terminated processes
• Memory mapped files
• Open and recently closed network connections
• Decrypted versions of programs, data, and information
• Cryptographic key passphrases
• Malware
DATA CARVING AND MAGIC VALUES
One of the principle methods of RAM analysis is achieved via a method referred to 
as “data carving.” Carving is the process of looking for patterns in the data, some-
times referred to as “magic values.” These values are indicative of a certain type of 
data being in memory. For example Skype v3 messages start with the data “l33l,” so 
any area of RAM with these characters has a likelihood that a Skype message fol-
lows. Similarly 
TrueCrypt (2014)
passphrases contain the magic value “0x7d0.” File 
types existing in RAM (as well as in media storage, or traversing a network) can be 
identified by their magic values too. On finding the data of a particular type the data 
carving process may continue, depending on the type of data discovered, to extract 
and present the data in a way that it becomes more intelligible to forensic analyst. 
For example, it may be necessary to organize the data based on field boundaries, to 
separate these out and identify them. In most instances, the forensic examiner can 
be abstracted from the detail of these processes by the forensic tools. However, one 
of the principle benefits of open tools such as Volatility is they allow the forensic 
examiner to code their own modules, allowing the freedom to carve out data of a 
certain type not available natively. This can then be made available for the benefit of 
the open source community (see Chapter 6).

Download 5,67 Mb.

Do'stlaringiz bilan baham:
1   ...   83   84   85   86   87   88   89   90   ...   283




Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling

kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha


yuklab olish